Evaluation Findings

Governance

However, given the absence of consistent meeting minutes, other documentation, the evaluation was unable to assess the extent to which oversight committees were able to fulfill their mandates.

Although roles and responsibilities of various players have been clarified and information-sharing and level of collaboration have improved, there are still some lingering issues that would require further improvement.

Implementation

Most of the Strategy-funded activities have been fully implemented as intended, with the exception of four activities.

Three organizations have reported under-spending of the allocated funding, two organizations spent more, two the exact amount and one was unable to track its relevant expenditures; three organizations faced difficulty staffing certain technical positions, particularly in a secret and/or top secret environment.

Performance

The GC has increased its capacity to prevent, detect, respond to, and recover from cyber-attacks.

The numbers of data breaches has declined over the course of the Strategy.

The GC now analyzes and contains breaches more quickly than had been possible in the past.

These improvements were made despite an increase in state and no-state-sponsored cyber activities against GC's networks.

Closer partnerships have been forged with critical infrastructure owners and operators and other private sector stakeholders.

Despite public awareness activities undertaken it is unclear to what extent Canadians are safer online.

Recommendations

In collaboration with participating organizations, the Senior ADM of the National and Cyber Security Branch, Public Safety, should consider undertaking the following:

Strengthen horizontal governance of cyber security in the Government of Canada by:

re-assessing the governance structure to determine the need and demand for the current committee configuration and to improve participation;

improving the provision of secretariat support, including coordination, information management and other administrative services;

ensuring that governance committees have terms of references that clearly define roles, responsibilities, and expectations from members;

ensuring that the oversight committees fulfill their roles and responsibilities as outlined in each oversight committee's terms of reference; and

keeping meeting minutes on a consistent basis.

Strengthen the Cyber Security related information–sharing practices by developing policies, procedures and tools to ensure timely and systematic exchange of information among partners and stakeholders.